(yunikorn-web) branch master updated: [YUNIKORN-3227] modelcontextprotocol/sdk high CVE (#253)

[mani]

This is an automated email from the ASF dual-hosted git repository.

mani pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/yunikorn-web.git


The following commit(s) were added to refs/heads/master by this push:
     new fc503a5  [YUNIKORN-3227] modelcontextprotocol/sdk high CVE (#253)
fc503a5 is described below

commit fc503a532193c5e8e7908b564634432e170bd10b
Author: Wilfred Spiegelenburg <wilfr...@apache.org>
AuthorDate: Tue Feb 10 12:21:12 2026 +0530

    [YUNIKORN-3227] modelcontextprotocol/sdk high CVE (#253)
    
    Follow up on YUNIKORN-3224 as the updates of multiple dependencies have
    clashed.
    puppeteer install fix
    license exclude for the pnpm-workspace.yaml file
    cleanup lint target
    
    Closes: #253
    
    Signed-off-by: Manikandan R <maniraj...@gmail.com>
---
 Makefile            |  7 ++-----
 karma.conf.ci.js    |  2 --
 karma.conf.js       |  2 --
 pnpm-lock.yaml      | 33 +++++++++++++++++++++------------
 pnpm-workspace.yaml |  2 ++
 5 files changed, 25 insertions(+), 21 deletions(-)

diff --git a/Makefile b/Makefile
index 7c3ffb9..10928b6 100644
--- a/Makefile
+++ b/Makefile
@@ -187,9 +187,6 @@ $(GOLANGCI_LINT_BIN):
 .PHONY: lint
 lint: $(GOLANGCI_LINT_BIN)
        @echo "running golangci-lint"
-       @git symbolic-ref -q HEAD && REV="origin/HEAD" || REV="HEAD^" ; \
-       headSHA=$$(git rev-parse --short=12 $${REV}) ; \
-       echo "checking against commit sha $${headSHA}" ; \
        "$(GOLANGCI_LINT_BIN)" run
 
 .PHONY: license-check
@@ -201,9 +198,9 @@ OS := $(shell uname -s | tr '[:upper:]' '[:lower:]')
 license-check:
        @echo "checking license headers:"
 ifeq (darwin,$(OS))
-       $(shell mkdir -p "$(OUTPUT)" && find -E . -not \( -path './.git*' 
-prune \) -not \( -path ./coverage -prune \) -not \( -path ./node_modules 
-prune \) -not \( -path ./build -prune \) -not \( -path ./tools -prune \) -not 
-path ./pnpm-lock.yaml -regex ".*\.(go|sh|md|conf|yaml|yml|html|mod)" -exec 
grep -L "Licensed to the Apache Software Foundation" {} \; > 
"$(OUTPUT)/license-check.txt")
+       $(shell mkdir -p "$(OUTPUT)" && find -E . -not \( -path './.git*' 
-prune \) -not \( -path ./coverage -prune \) -not \( -path ./node_modules 
-prune \) -not \( -path ./build -prune \) -not \( -path ./tools -prune \) -not 
-path ./pnpm-*.yaml -regex ".*\.(go|sh|md|conf|yaml|yml|html|mod)" -exec grep 
-L "Licensed to the Apache Software Foundation" {} \; > 
"$(OUTPUT)/license-check.txt")
 else
-       $(shell mkdir -p "$(OUTPUT)" && find . -not \( -path './.git*' -prune 
\) -not \( -path ./coverage -prune \) -not \( -path ./node_modules -prune \) 
-not \( -path ./build -prune \) -not \( -path ./tools -prune \) -not -path 
./pnpm-lock.yaml -regex ".*\.\(go\|sh\|md\|conf\|yaml\|yml\|html\|mod\)" -exec 
grep -L "Licensed to the Apache Software Foundation" {} \; > 
"$(OUTPUT)/license-check.txt")
+       $(shell mkdir -p "$(OUTPUT)" && find . -not \( -path './.git*' -prune 
\) -not \( -path ./coverage -prune \) -not \( -path ./node_modules -prune \) 
-not \( -path ./build -prune \) -not \( -path ./tools -prune \) -not -path 
./pnpm-*.yaml -regex ".*\.\(go\|sh\|md\|conf\|yaml\|yml\|html\|mod\)" -exec 
grep -L "Licensed to the Apache Software Foundation" {} \; > 
"$(OUTPUT)/license-check.txt")
 endif
        @if [ -s "$(OUTPUT)/license-check.txt" ]; then \
                echo "following files are missing license header:" ; \
diff --git a/karma.conf.ci.js b/karma.conf.ci.js
index 4f9a5f6..2f082f1 100644
--- a/karma.conf.ci.js
+++ b/karma.conf.ci.js
@@ -19,8 +19,6 @@
 // Karma configuration file, see link for more information
 // https://karma-runner.github.io/1.0/config/configuration-file.html
 
-process.env.CHROME_BIN = require('puppeteer').executablePath();
-
 module.exports = function (config) {
   config.set({
     basePath: '',
diff --git a/karma.conf.js b/karma.conf.js
index 9b21ae1..781403f 100644
--- a/karma.conf.js
+++ b/karma.conf.js
@@ -19,8 +19,6 @@
 // Karma configuration file, see link for more information
 // https://karma-runner.github.io/1.0/config/configuration-file.html
 
-process.env.CHROME_BIN = require('puppeteer').executablePath();
-
 module.exports = function (config) {
   config.set({
     basePath: '',
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index a42ce52..502753d 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -4,6 +4,9 @@ settings:
   autoInstallPeers: true
   excludeLinksFromLockfile: false
 
+overrides:
+  '@modelcontextprotocol/sdk@>=1.10.0 <=1.25.3': '>=1.26.0'
+
 importers:
 
   .:
@@ -116,7 +119,7 @@ importers:
         version: 
20.3.14(@angular/compiler-cli@20.3.16(@angular/compiler@20.3.16)(typescript@5.8.3))(@angular/compiler@20.3.16)(@angular/core@20.3.16(@angular/compiler@20.3.16)(rxjs@7.8.2)(zone.js@0.15.1))(@angular/platform-browser@20.3.16(@angular/animations@20.3.16(@angular/core@20.3.16(@angular/compiler@20.3.16)(rxjs@7.8.2)(zone.js@0.15.1)))(@angular/common@20.3.16(@angular/core@20.3.16(@angular/compiler@20.3.16)(rxjs@7.8.2)(zone.js@0.15.1))(rxjs@7.8.2))(@angular/core@20.3.16(@angular
 [...]
       '@angular/cli':
         specifier: ^20.3.15
-        version: 20.3.15(@types/node@20.19.29)(chokidar@4.0.3)(hono@4.11.7)
+        version: 20.3.15(@types/node@20.19.29)(chokidar@4.0.3)
       '@angular/compiler-cli':
         specifier: ^20.3.16
         version: 20.3.16(@angular/compiler@20.3.16)(typescript@5.8.3)
@@ -900,8 +903,8 @@ packages:
     cpu: [x64]
     os: [win32]
 
-  '@modelcontextprotocol/sdk@1.25.2':
-    resolution: {integrity: 
sha512-LZFeo4F9M5qOhC/Uc1aQSrBHxMrvxett+9KLHt7OhcExtoiRN9DKgbZffMP/nxjutWDQpfMDfP3nkHI4X9ijww==}
+  '@modelcontextprotocol/sdk@1.26.0':
+    resolution: {integrity: 
sha512-Y5RmPncpiDtTXDbLKswIJzTqu2hyBKxTNsgKqKclDbhIgg1wgtf1fRuvxgTnRfcnxtvvgbIEcqUOzZrJ6iSReg==}
     engines: {node: '>=18'}
     peerDependencies:
       '@cfworker/json-schema': ^4.1.1
@@ -2080,8 +2083,8 @@ packages:
   exponential-backoff@3.1.3:
     resolution: {integrity: 
sha512-ZgEeZXj30q+I0EN+CbSSpIyPaJ5HVQD18Z1m+u1FXbAeT94mr1zw50q4q6jiiC447Nl/YTcIYSAftiGqetwXCA==}
 
-  express-rate-limit@7.5.1:
-    resolution: {integrity: 
sha512-7iN8iPMDzOMHPUYllBEsQdWVB6fPDMPqwjBaFrgr4Jgr/+okjvzAy+UHlYYL/Vs0OsOrMkwS6PJDkFlJwoxUnw==}
+  express-rate-limit@8.2.1:
+    resolution: {integrity: 
sha512-PCZEIEIxqwhzw4KF0n7QF4QqruVTcF73O5kFKUnGOyjbCCgizBBiFaYpd/fnBLUMPw/BWw9OsiN7GgrNYr7j6g==}
     engines: {node: '>= 16'}
     peerDependencies:
       express: '>= 4.11'
@@ -2353,6 +2356,10 @@ packages:
     resolution: {integrity: 
sha512-IBTdIkzZNOpqm7q3dRqJvMaldXjDHWkEDfrwGEQTs5eaQMWV+djAhR+wahyNNMAa+qpbDUhBMVt4ZKNwpPm7xQ==}
     engines: {node: ^20.17.0 || >=22.9.0}
 
+  ip-address@10.0.1:
+    resolution: {integrity: 
sha512-NWv9YLW4PoW2B7xtzaS3NCot75m6nK7Icdv0o3lfMceJVRfSoQwqD4wEH5rLwoKJwUiZ/rfpiVBhnaF0FK4HoA==}
+    engines: {node: '>= 12'}
+
   ip-address@10.1.0:
     resolution: {integrity: 
sha512-XXADHxXmvT9+CRxhXg56LJovE+bmWnEWB78LB83VZTprKTmaC5QfruXocxzTZ2Kl0DNwKuBdlIhjL8LeY8Sf8Q==}
     engines: {node: '>= 12'}
@@ -3906,14 +3913,14 @@ snapshots:
       rxjs: 7.8.2
       tslib: 2.8.1
 
-  '@angular/cli@20.3.15(@types/node@20.19.29)(chokidar@4.0.3)(hono@4.11.7)':
+  '@angular/cli@20.3.15(@types/node@20.19.29)(chokidar@4.0.3)':
     dependencies:
       '@angular-devkit/architect': 0.2003.15(chokidar@4.0.3)
       '@angular-devkit/core': 20.3.15(chokidar@4.0.3)
       '@angular-devkit/schematics': 20.3.15(chokidar@4.0.3)
       '@inquirer/prompts': 7.8.2(@types/node@20.19.29)
       '@listr2/prompt-adapter-inquirer': 
3.0.1(@inquirer/prompts@7.8.2(@types/node@20.19.29))(@types/node@20.19.29)(listr2@9.0.1)
-      '@modelcontextprotocol/sdk': 1.25.2(hono@4.11.7)(zod@4.1.13)
+      '@modelcontextprotocol/sdk': 1.26.0(zod@4.1.13)
       '@schematics/angular': 20.3.15(chokidar@4.0.3)
       '@yarnpkg/lockfile': 1.1.0
       algoliasearch: 5.35.0
@@ -3930,7 +3937,6 @@ snapshots:
       - '@cfworker/json-schema'
       - '@types/node'
       - chokidar
-      - hono
       - supports-color
 
   
'@angular/common@20.3.16(@angular/core@20.3.16(@angular/compiler@20.3.16)(rxjs@7.8.2)(zone.js@0.15.1))(rxjs@7.8.2)':
@@ -4442,7 +4448,7 @@ snapshots:
   '@lmdb/lmdb-win32-x64@3.4.2':
     optional: true
 
-  '@modelcontextprotocol/sdk@1.25.2(hono@4.11.7)(zod@4.1.13)':
+  '@modelcontextprotocol/sdk@1.26.0(zod@4.1.13)':
     dependencies:
       '@hono/node-server': 1.19.9(hono@4.11.7)
       ajv: 8.17.1
@@ -4453,7 +4459,8 @@ snapshots:
       eventsource: 3.0.7
       eventsource-parser: 3.0.6
       express: 5.2.1
-      express-rate-limit: 7.5.1(express@5.2.1)
+      express-rate-limit: 8.2.1(express@5.2.1)
+      hono: 4.11.7
       jose: 6.1.3
       json-schema-typed: 8.0.2
       pkce-challenge: 5.0.1
@@ -4461,7 +4468,6 @@ snapshots:
       zod: 4.1.13
       zod-to-json-schema: 3.25.1(zod@4.1.13)
     transitivePeerDependencies:
-      - hono
       - supports-color
 
   '@msgpackr-extract/msgpackr-extract-darwin-arm64@3.0.3':
@@ -5577,9 +5583,10 @@ snapshots:
 
   exponential-backoff@3.1.3: {}
 
-  express-rate-limit@7.5.1(express@5.2.1):
+  express-rate-limit@8.2.1(express@5.2.1):
     dependencies:
       express: 5.2.1
+      ip-address: 10.0.1
 
   express-urlrewrite@1.4.0:
     dependencies:
@@ -5923,6 +5930,8 @@ snapshots:
 
   ini@6.0.0: {}
 
+  ip-address@10.0.1: {}
+
   ip-address@10.1.0: {}
 
   ipaddr.js@1.9.1: {}
diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml
new file mode 100644
index 0000000..f8d6324
--- /dev/null
+++ b/pnpm-workspace.yaml
@@ -0,0 +1,2 @@
+overrides:
+  '@modelcontextprotocol/sdk@>=1.10.0 <=1.25.3': '>=1.26.0'


---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@yunikorn.apache.org
For additional commands, e-mail: issues-h...@yunikorn.apache.org